The 20 most common words in phishing attacks

By Kevin McCaney

Sep 26, 2012

When online spies or criminals want to get their hands on sensitive information, they usually start by going phishing, sending e-mails to people inside a government agency or contractor, trying to lure them to a malicious site or download a file where malware awaits.

Many of the high-profile attacks in recent years against agencies and government contractors involved targeted phishing — or spear-phishing — campaigns, from the hack of intelligence analysis company Strategic Forecasting to an attack on Oak Ridge National Laboratory.

In fact, according to the U.S. Computer Emergency Readiness Team, 51.2 percent of reported attacks on federal, state and local government agencies in 2011 involved phishing.

What can users do to keep their guard up? A new report from cybersecurity company FireEye that analyzes how malicious files get past traditional defenses also includes a helpful list of the most common file names and extensions being used in phishing attacks.

If you order anything to be shipped, whether for work or home, be careful of where your confirmation and tracking e-mails come from. The FireEye report says that, between the second half of 2011 and the first half of 2012, words related to shipping grew from 19.2 percent to 26.3 percent of phishing e-mails, with “label” and “invoice” being the most common.

Another tactic on the rise is sending e-mails that try to create a sense of urgency, which grew from 1.72 percent to 10.68 percent of the e-mails, the report said.

The 20 most common words in use in the first half of the year, and the percentage of phishing e-mails in which they appeared:

label, 15.17

invoice, 13.81

post, 11.27

document, 10.92

postal, 9.80

calculations, 8.98

copy, 8.93

fedex, 6.94

statement, 6.12

financial, 6.12

dhl, 5.20

usps, 4.63

8, 4.32

notification, 4.27

n, 4.22

irs, 3.60

ups, 3.46

no, 2.84

delivery, 2.61

ticket, 2.60

The five most common categories used in phishing e-mails were: postal (26.33 percent); urgency, such as confirmations and alerts (10.68); banking or tax matters (3.83); airline and travel information (2.45) and billing (0.68).

Phishers aiming to distribute malicious files generally try to get users to click on a link to a malicious website or download a file attached to the e-mail. In terms of attachments, users would be wise to be wary of .zip attachments, which appeared in 76.91 percent of the phishing e-mails FireEye checked in the first half of the year.

The next most common attachments were .pdf (11.79 percent), .exe (3.98), .doc (2.67) and .pif (1.09). The .exe extension, noting an executable file for downloading and running programs, was once the go-to extension for malware distribution, but with people learning to be careful about it, hackers have moved on to ZIP and PDF.

Tactics change, but the most common ruse at the moment is trying to get people to feel they can’t wait to find out about the matter at hand.

“By referencing important and usually time-sensitive information — express shipment notifications, tax return forms, financial account status, airline ticket confirmations, and so on — cybercriminals are fostering a sense of urgency in their targets, hoping to get them to rush into downloading the malware that exploits their system,” the report concludes.

Security experts have standard advice for avoiding phishing attacks, including keeping browsers and anti-virus software up to date, using a firewall and using anti-phishing toolbars. But very often, it comes down to a user’s decision to click or not to click. The more you know about how phishing campaigns operate, the safer you’ll be.